Bug 198955 - [archivers/cabextract][security] Multiple vulnerabilities
Summary: [archivers/cabextract][security] Multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-27 19:22 UTC by Sevan Janiyan
Modified: 2015-06-01 06:10 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (gabor)


Attachments
security/vuxml update for CVE-2015-2060 and CVE-2014-9556 (2.64 KB, patch)
2015-05-30 16:30 UTC, Jason Unovitch
no flags Details | Diff
Poudriere Testport Log from 11.0-CURRENT amd64 (20.24 KB, text/x-log)
2015-05-30 16:33 UTC, Jason Unovitch
no flags Details
archivers/cabextract update from 1.4 -> 1.6 (863 bytes, patch)
2015-05-30 16:36 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-03-27 19:22:44 UTC
CVE-2014-9556 CVE-2015-2060
Comment 1 Jason Unovitch freebsd_committer 2015-05-30 16:30:46 UTC
Created attachment 157283 [details]
security/vuxml update for CVE-2015-2060 and CVE-2014-9556

Sevan,
Thanks once again for the astute eye catching these issues and pointing them out.

Gabor,
I hope you don't mind but I figured you can use some help.  This has been sitting in the queue for a while and was a trivial patch to do that fixes documented security issues.  The research for validating vuxml and runtime took far longer than the Makefile bump and make makesum.

As pointed out by Sevan, there are two CVE's fixed in the upcoming patches.  The libmspack CVE announced in December 2014 was already fixed in libmspack but no associated entry was made.  Since it affects cabextract <= 1.5, document it now for the sake of being thorough.

Jason

#
# Proposed Changelog:
#

- Document CVE-2014-9556 for libmspack and cabextract infinite loop denial of service
- Document CVE-2015-2060 for cabextract directory traversal with UTF-8 symbols in filenames

PR: 198955
Submitted by: Jason Unovitch <jason unovitch gmail com>
Reported by: Sevan Janiyan <venture37 geeklan co uk>

#
# security/vuxml validation steps follow:
#

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.4
cabextract-1.4 is vulnerable:
cabextract -- directory traversal with UTF-8 symbols in filenames
CVE: CVE-2015-2060
WWW: http://vuxml.FreeBSD.org/freebsd/cfb12f02-06e1-11e5-8fda-002590263bf5.html

cabextract-1.4 is vulnerable:
libmspack -- frame_end overflow which could cause infinite loop
CVE: CVE-2014-9556
WWW: http://vuxml.FreeBSD.org/freebsd/cc7548ef-06e1-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.5
cabextract-1.5 is vulnerable:
cabextract -- directory traversal with UTF-8 symbols in filenames
CVE: CVE-2015-2060
WWW: http://vuxml.FreeBSD.org/freebsd/cfb12f02-06e1-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cabextract-1.6
0 problem(s) in the installed packages found.


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libmspack-0.4
libmspack-0.4 is vulnerable:
libmspack -- frame_end overflow which could cause infinite loop
CVE: CVE-2014-9556
WWW: http://vuxml.FreeBSD.org/freebsd/cc7548ef-06e1-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libmspack-0.5
0 problem(s) in the installed packages found.
Comment 2 Jason Unovitch freebsd_committer 2015-05-30 16:33:09 UTC
Created attachment 157284 [details]
Poudriere Testport Log from 11.0-CURRENT amd64

Also bulk build tested on the following releases (info from `poudriere jail -l`)
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r282869 amd64
11.0-CURRENT r282869 i386

Below is all the runtime validation that shows the CVE's are all fixed:

# CVE-2014-9556
# cabextract-1.4
# Runtime tests aided by sample file from Debian Bugzilla at https://bugs.debian.org/773041
# The process hangs, top in another shell confirms it spinning at 100% CPU in a denial of service
#################

% cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
^C 

# top | head
last pid:  4647;  load averages:  1.20,  1.09,  0.71  up 0+06:06:41    11:28:32
58 processes:  2 running, 56 sleeping

Mem: 94M Active, 225M Inact, 707M Wired, 754M Buf, 6920M Free
Swap: 2048M Total, 2048M Free
  

  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
 4606 test          1 102    0 12408K  2008K CPU3    3   8:53 100.00% cabextract
 1008 test          5  20    0   176M 73532K uwait   3   1:10   0.00% Xorg

# CVE-2014-9556
# cabextract-1.5
# Runtime tests aided by sample file from Debian Bugzilla at https://bugs.debian.org/773041
# Runtime looks good. No hang.
#################

 % cabextract hang.cab
Extracting cabinet: hang.cab
  extracting limerick
limerick: error in CAB data format

All done, errors in processing 1 file(s)

# CVE-2015-2060
# cabextract-1.5
# Runtime tests based off steps in Red Hat bugzilla. 1.4 and 1.5 were both vulnerable to the bad path checks.
# https://bugzilla.redhat.com/show_bug.cgi?id=cve-2015-2060
#################

root@freebsd10:/tmp # cabextract -v
cabextract version 1.5
root@freebsd10:/tmp # touch xxxxxxxxxx
root@freebsd10:/tmp # lcab xxxxxxxxxx test.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
nopath          : no
recursive       : no
quiet           : no
inputfiles      : xxxxxxxxxx
outputfile      : test.cab
cabfile         : 0 bytes (approx. 0.00 Kbytes)
cfileInit: xxxxxxxxxx localtime:
tmp,header,folder,.
done
root@freebsd10:/tmp # gsed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
root@freebsd10:/tmp # rm xxxxxxxxxx
root@freebsd10:/tmp # ls /tmp/abs
ls: /tmp/abs: No such file or directory
root@freebsd10:/tmp # cabextract test.cab
Extracting cabinet: test.cab
  extracting /tmp/abs

All done, no errors.
root@freebsd10:/tmp # ls /tmp/abs
/tmp/abs

# CVE-2015-2060
# cabextract-1.6
# Runtime tests based off steps in Red Hat bugzilla. 1.6 is no longer vulnerable.
# https://bugzilla.redhat.com/show_bug.cgi?id=cve-2015-2060
#################

root@freebsd10:/mnt # touch xxxxxxxxxx
root@freebsd10:/mnt # lcab xxxxxxxxxx test.cab
lcab v1.0b11 (2003) by Rien (rien@geekshop.be)
nopath          : no
recursive       : no
quiet           : no
inputfiles      : xxxxxxxxxx
outputfile      : test.cab
cabfile         : 0 bytes (approx. 0.00 Kbytes)
cfileInit: xxxxxxxxxx localtime:
tmp,header,folder,.
done
root@freebsd10:/mnt # gsed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
root@freebsd10:/mnt # rm xxxxxxxxxx
root@freebsd10:/mnt # ls /tmp/abs
ls: /tmp/abs: No such file or directory
root@freebsd10:/mnt # cabextract test.cab
Extracting cabinet: test.cab
  extracting tmp/abs

All done, no errors.
root@freebsd10:/mnt # ls tmp/abs
tmp/abs
root@freebsd10:/mnt # cat tmp/abs
Comment 3 Jason Unovitch freebsd_committer 2015-05-30 16:36:27 UTC
Created attachment 157285 [details]
archivers/cabextract update from 1.4 -> 1.6

Security update to 1.6

PR: 198955
Security: cc7548ef-06e1-11e5-8fda-002590263bf5
Security: CVE-2014-9556
Security: cfb12f02-06e1-11e5-8fda-002590263bf5
Security: CVE-2015-2060
Submitted by: Jason Unovitch <jason unovitch gmail com>
Reported by: Sevan Janiyan <venture37 geeklan co uk>
MFH: 2015Q2
Comment 4 commit-hook freebsd_committer 2015-06-01 05:59:19 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun  1 05:59:01 UTC 2015
New revision: 388200
URL: https://svnweb.freebsd.org/changeset/ports/388200

Log:
  Reflect CVE-2015-2060 and CVE-2014-9556.

  PR:		ports/198955
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2015-06-01 06:05:21 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun  1 06:04:37 UTC 2015
New revision: 388201
URL: https://svnweb.freebsd.org/changeset/ports/388201

Log:
  Security update to 1.6

  PR:		198955
  Security:	cc7548ef-06e1-11e5-8fda-002590263bf5
  Security:	CVE-2014-9556
  Security:	cfb12f02-06e1-11e5-8fda-002590263bf5
  Security:	CVE-2015-2060
  Submitted by:	Jason Unovitch <jason unovitch gmail com>
  Reported by:	Sevan Janiyan <venture37 geeklan co uk>
  Approved by:	maintainer timeout
  MFH:		2015Q2

Changes:
  head/archivers/cabextract/Makefile
  head/archivers/cabextract/distinfo
Comment 6 commit-hook freebsd_committer 2015-06-01 06:07:23 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun  1 06:06:49 UTC 2015
New revision: 388202
URL: https://svnweb.freebsd.org/changeset/ports/388202

Log:
  MFH: r388201

  Security update to 1.6

  PR:		198955
  Security:	cc7548ef-06e1-11e5-8fda-002590263bf5
  Security:	CVE-2014-9556
  Security:	cfb12f02-06e1-11e5-8fda-002590263bf5
  Security:	CVE-2015-2060
  Submitted by:	Jason Unovitch <jason unovitch gmail com>
  Reported by:	Sevan Janiyan <venture37 geeklan co uk>
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/archivers/cabextract/Makefile
  branches/2015Q2/archivers/cabextract/distinfo
Comment 7 Xin LI freebsd_committer 2015-06-01 06:10:12 UTC
Patch applied as a maintainer timeout because this wasn't touched for quite some time and the problem can enable a remote attacker to e.g. provoke the bug by sending a malicious email to a mail scanning system.